Is HIPAA Privacy Being Misused?

Thursday

Aug 20, 2015 at 12:01 AMAug 20, 2015 at 11:31 PM

Unless you have been totally out of circulation for the past decade, you have probably signed a Privacy Act Statement at one point or another either at your doctor’s office, for your insurance company, etc.

The federal HIPAA (Health Insurance Portability and Accountability Act), the “Privacy Act” regulations are voluminous and can be complex. A New York Times article recently reported (July 17, 2015) on a number of ways the HIPAA regulations are being misinterpreted and abused, often creating serious or potentially serious consequences.The New York Times article gave three examples of how the law is being misused.

In a retirement community in New York, a 72-year-old woman went for her regular morning swim and noticed her friend was not there. She checked the friend’s apartment. No response. Questions to the staff of the retirement home revealed nothing. Was her friend in the hospital? Did she suddenly go on a visit to relatives? The friend was told staff could not tell her where her friend was due to “privacy” rules.

In another instance from the NY Times piece, a 56-year-old woman and her close friend were in a coffee café in a hospital in Boston. The 56-year-old’s husband was being treated at the hospital and was dying of cancer. She was telling her friend about everything that was going on when a third party walked over to their table and told them it was “a HIPAA violation” to discuss the details of a patient’s treatment in public.

In a third case which happened in York, Pa., a woman who was on a business trip to Chicago learned her 85-year-old mother was in the emergency room in York. Her mother had gone to the hospital after days of back pain and her daughter telephone to alert the medical staff to her mother’s medication allergies. It took hours to find someone who would take down the crucial facts and already the woman’s mother had been prescribed a drug she was allergic to. (It turned out she had not been given it.) Again, the staff would not speak to her about her mother’s condition citing the “HIPAA (Privacy Act) regulations.”

In all three of these real-life scenarios, the Privacy Act was abused with the possible exception of the two women talking in the coffee shop. (If the patient objects to the provider (doctor, etc.) disclosing the information about his/her health and is not incapacitated, the information may not be disclosed.) (It appears in the instance described that the husband was incapacitated so the HIPAA law would not apply.)

The privacy law provides flexibility in disclosing information in the patient’s interest, according to Clinton Mikel, chairman of an American Bar Association (ABA) group on e-health and privacy, but it does not require the facility or person to disclose the information.

An assisted living facility or a nursing home can report a death. It can give a report on someone’s general condition if that person being reported on is within the facility. Administrators at a nursing home might prefer to keep a list of the people that a person would want to be informed about private health matters if such matters arose, including death of the resident. Attorney Mikel said “staff members’ fears of the consequences of an unintended Hipaa violation are probably overblown.”Brief Summary of Background on HIPAAThe legislative history of HIPAA goes back more than two decades. The Act itself was enacted and signed by President Clinton in 1996 and was known as the Kennedy-Kassenbaum Act. Title I of the Act covers health care access, portability and renewability. Title II concerns preventing health care fraud and abuse, medical liability reform and administrative simplification. Sections of the Act required the Secretary of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy and security of health information (Administrative Simplifications). Congress did not enact privacy legislation within the three-year limit mandated. Thus, “the final regulation,” the “Privacy Rule,” was published in December 2000.

HHS issued the Privacy Rule to address the use and disclosure of individuals’ health information. The Office of Civil Rights (OCR) enforces the rule with respect to voluntary compliance activities and civil (money) penalties. The rule is intended to strike a balance that permits use of information while protecting the privacy of those who seek health care.

In June, Rep. Doris Matsui of California, introduced legislation to clarify who can divulge what under what circumstances under this rule. Matsui’s proposed bill would require HHS to create model training programs for providers and administrators. Matsui said family members can provide information to providers and there is generally no privacy consideration.Who Must Follow HIPAA Laws? What Does or Doesn't It Protect?• Health care providers such as doctors, nurses, pharmacists, hospitals, clinics, health insurance companies, HMOs, most employer group health plans, and Medicare and Medicaid.In general, the following information is protected:• Information doctors, nurses and other healthcare providers put in a person’s medical record• Conversations a doctor has had with nurses and other healthcare professionals about a patient’s care or treatment• Information about a patient in the health insurer’s computer system, including billing information• Most other health information about an individual held by those who must follow the privacy rule.What Are Your Rights Under HIPAA Privacy Rules?Under federal law you have rights concerning your health information and there are rules and limits on who can look at and receive this information. (Source: NHPCO)

You have the right to:• Request and receive a copy of your health records• Have corrections added to your health information• Receive a notice that informs you about how your health information may be used and shared. You also have the right to decide if you want to give permission for your health information to be shared for certain purposes such as marketing.• Receive a report on when and why your health information was shared for certain purposes.• File a complaint with the OCR about rights you believe are being denied• Ask questions of your provider or health insurer about your rights, including how to file a complaint. Visit the website hhs.gov/ocr/hipaa or call 1-866-627-7748 for more information.

If you have questions about your rights or whether you have rights, it may be a good idea to consult with an attorney before proceeding with your question or complaint. Please call us for a free consultation with one of our experienced attorneys by calling (330) 762-0700 or visit our website and send us a message by visiting slaterzurz.com

Unless you have been totally out of circulation for the past decade, you have probably signed a Privacy Act Statement at one point or another either at your doctor’s office, for your insurance company, etc.
The federal HIPAA (Health Insurance Portability and Accountability Act), the “Privacy Act” regulations are voluminous and can be complex. A New York Times article recently reported (July 17, 2015) on a number of ways the HIPAA regulations are being misinterpreted and abused, often creating serious or potentially serious consequences.The New York Times article gave three examples of how the law is being misused.
In a retirement community in New York, a 72-year-old woman went for her regular morning swim and noticed her friend was not there. She checked the friend’s apartment. No response. Questions to the staff of the retirement home revealed nothing. Was her friend in the hospital? Did she suddenly go on a visit to relatives? The friend was told staff could not tell her where her friend was due to “privacy” rules.
In another instance from the NY Times piece, a 56-year-old woman and her close friend were in a coffee café in a hospital in Boston. The 56-year-old’s husband was being treated at the hospital and was dying of cancer. She was telling her friend about everything that was going on when a third party walked over to their table and told them it was “a HIPAA violation” to discuss the details of a patient’s treatment in public.
In a third case which happened in York, Pa., a woman who was on a business trip to Chicago learned her 85-year-old mother was in the emergency room in York. Her mother had gone to the hospital after days of back pain and her daughter telephone to alert the medical staff to her mother’s medication allergies. It took hours to find someone who would take down the crucial facts and already the woman’s mother had been prescribed a drug she was allergic to. (It turned out she had not been given it.) Again, the staff would not speak to her about her mother’s condition citing the “HIPAA (Privacy Act) regulations.”
In all three of these real-life scenarios, the Privacy Act was abused with the possible exception of the two women talking in the coffee shop. (If the patient objects to the provider (doctor, etc.) disclosing the information about his/her health and is not incapacitated, the information may not be disclosed.) (It appears in the instance described that the husband was incapacitated so the HIPAA law would not apply.)
The privacy law provides flexibility in disclosing information in the patient’s interest, according to Clinton Mikel, chairman of an American Bar Association (ABA) group on e-health and privacy, but it does not require the facility or person to disclose the information.
An assisted living facility or a nursing home can report a death. It can give a report on someone’s general condition if that person being reported on is within the facility. Administrators at a nursing home might prefer to keep a list of the people that a person would want to be informed about private health matters if such matters arose, including death of the resident. Attorney Mikel said “staff members’ fears of the consequences of an unintended Hipaa violation are probably overblown.”
Brief Summary of Background on HIPAA
The legislative history of HIPAA goes back more than two decades. The Act itself was enacted and signed by President Clinton in 1996 and was known as the Kennedy-Kassenbaum Act. Title I of the Act covers health care access, portability and renewability. Title II concerns preventing health care fraud and abuse, medical liability reform and administrative simplification. Sections of the Act required the Secretary of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy and security of health information (Administrative Simplifications). Congress did not enact privacy legislation within the three-year limit mandated. Thus, “the final regulation,” the “Privacy Rule,” was published in December 2000.
HHS issued the Privacy Rule to address the use and disclosure of individuals’ health information. The Office of Civil Rights (OCR) enforces the rule with respect to voluntary compliance activities and civil (money) penalties. The rule is intended to strike a balance that permits use of information while protecting the privacy of those who seek health care.
In June, Rep. Doris Matsui of California, introduced legislation to clarify who can divulge what under what circumstances under this rule. Matsui’s proposed bill would require HHS to create model training programs for providers and administrators. Matsui said family members can provide information to providers and there is generally no privacy consideration.
Who Must Follow HIPAA Laws? What Does or Doesn't It Protect?
• Health care providers such as doctors, nurses, pharmacists, hospitals, clinics, health insurance companies, HMOs, most employer group health plans, and Medicare and Medicaid.
In general, the following information is protected:
• Information doctors, nurses and other healthcare providers put in a person’s medical record
• Conversations a doctor has had with nurses and other healthcare professionals about a patient’s care or treatment
• Information about a patient in the health insurer’s computer system, including billing information
• Most other health information about an individual held by those who must follow the privacy rule.
What Are Your Rights Under HIPAA Privacy Rules?
Under federal law you have rights concerning your health information and there are rules and limits on who can look at and receive this information. (Source: NHPCO)
You have the right to:
• Request and receive a copy of your health records
• Have corrections added to your health information
• Receive a notice that informs you about how your health information may be used and shared. You also have the right to decide if you want to give permission for your health information to be shared for certain purposes such as marketing.
• Receive a report on when and why your health information was shared for certain purposes.
• File a complaint with the OCR about rights you believe are being denied
• Ask questions of your provider or health insurer about your rights, including how to file a complaint. Visit the website hhs.gov/ocr/hipaa or call 1-866-627-7748 for more information.
If you have questions about your rights or whether you have rights, it may be a good idea to consult with an attorney before proceeding with your question or complaint. Please call us for a free consultation with one of our experienced attorneys by calling (330) 762-0700 or visit our website and send us a message by visiting slaterzurz.com

Never miss a story

Choose the plan that's right for you.
Digital access or digital and print delivery.